Row-level security is an application of data security to control access to particular rows in a relational data query. The general row-level security problem is to define and enforce policies for access to particular rows identified in relational data queries. Industry-standard security authorization techniques (object-level access control entries) have not been applied because the large number of rows makes individual row-by-row access control operationally and administratively impractical.
Instead, typical industry practice has addressed row-level security by either creating fixed relational VIEWs on a table-by-table basis or by writing server-side procedural programs (“stored procedures”) to select records on each query.
A deficiency of these conventional approaches is that they require programming either in a query-language like SQL or in a procedural language. This has kept row-level security policy administration a separate activity that is not integrated (in terms of tools and of security administrator skill set) with the broader data access security technologies used in an organization.
Another deficiency of conventional techniques is that they deal with row-level security policy in the context of individual input data sources, rather than at the broader multi-table level. This is a significant deficiency because modern relational data warehouse designs (notably STAR schemas) involve many tables and envision considerable user flexibility in querying against them. Hence policies are most naturally expressed in terms of the full set of potential queries that a user might make against a combination of tables.
Because providing guidance about the effective patterns for generating ad-hoc queries against particular multi-table data models is beyond the scope of the SQL standard, the industry has evolved proprietary query metadata frameworks to guide end-users in creating queries. These frameworks provide metadata for other types of policy controls—such as rules for generation of meaningful queries and column-level data security. But while such frameworks are capable of being used with data sources that have row-level security applied individually, the frameworks have not integrated row-level security policy definition at this higher, multi-table level.
Accordingly, row-level security-policy definition has previously been a specialized activity which focused on individual data sources. As a result, it has not been integrated either with conventional security frameworks or with the higher-level (multi-table) query policy tools that are increasingly used to guide and govern ad-hoc query against data warehouses.